… and shame the Devil, as I was often told as a child. Sound advice you’d think, but in the world of IT Security such honesty could cost you your job. I was alerted on Twitter by Kai Wittenburg to the story of Pennsylvania’s CISO Robert Maley. According to the story on Computerworld’s web site, Maley was fired by his employer, apparently after commenting on a security incident during the RSA show. The reason given for his dismissal ws that he failed to get the proper approvals before making his comments. The incident in question appears to have been a vulnerability in a scheduling system at the Department of Transport. The Department denies that any hacking or breach was involved in the incident, but details have been handed over to the State Police for investigation. This furore is taking place against a backdrop of cuts of 38% in IT security budgets and 40% in staffing.

Chances are, Maley’s employer does insist on rigid prior approval for this sort of thing. It’s all part of the culture of secrecy around security incidents that’s endemic in large organisations. The immediate effect is to make it more difficult for all of us to get budgets approved for security programmes. Faced with yet another capital expenditure request for an IT security programme, the CEO will say “..but , if this threat is real, why don’t I ever read about it in the Press?” Answer: because far too many organisations follow the lead of the Commonwealth of Pennsylvania and deny everything.

And there’s another consequence of not discussing these incidents – we don’t learn from them. In his book “Managing the Human Factor in Information Security“, David Lacey describes how the aviation industry has systematically and ruthlessly pursued safety through a combination of mandatory incident reporting and thorough investigation of “near misses”. Any major incident is the result of a series of cascading failures. If any one element holds up under pressure, then the disaster is averted. However, there are still a whole load of individual failures to be investigated and lessons to be learned. Next time, you might not be so lucky.

As our World becomes ever more dependent upon on-line systems, so the impact of security incidents will become ever greater. Unless we allow – even encourage – IT security professionals to follow Maley’s example and openly discuss these incidents, how can we ever hope to improve?